CVE-2026-2166
7.3 HIGHPublished 2026-02-08 · Modified 2026-02-09 · Undergoing Analysis
Quick Summary
This is a high-severity SQL injection flaw in the Online Reviewer System 1.0 login page. Attackers can remotely inject malicious code through the username or password fields to manipulate the database.
Who is affected
Any organization using this specific software version is affected. A successful attacker could steal sensitive data, bypass authentication, or take control of the database.
Recommended fix
Immediately apply any official patch from the vendor. If unavailable, use parameterized queries to fix the /login/index.php file and restrict network access to the system as a temporary measure.
Technical Description
A security vulnerability has been detected in code-projects Online Reviewer System 1.0. The affected element is an unknown function of the file /login/index.php of the component Login. The manipulation of the argument username/password leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used.
CVSS Details
Attack Vector
NETWORK
Complexity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE
CWE-89, CWE-74